This is not wrong but what’s really missing is cost: Meta did this so they can avoid paying people to do it. Lots of companies follow that decay spiral: your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.
Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check?
> your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.
Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do.
Its perfectly acceptable for a security model to make things difficult for extreme edge cases like the pope. After all if the situation warrants it such rare events can always be escalated.
for a while facebook had the ability to recover your account by having them ask several of your friends if the recovery was legitimate but it was turned off. my guess is that not enough people added trusted contacts to bother running it.
I actually quite like this solution. Beats asking users to add a "recovery selfie" (something Meta actually does now) - I'd rather choose 3 of my friends and have them approve some notification in-app. Seems like better UX and preserves privacy a slight bit more, but we all know Meta's not in the privacy business.
The amount of hassle involved with regular physical checks is why it's not implemented, regardless of attack prevention.
The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely.
To be clear, I was thinking cost as more than just payroll - e.g. my bank can do this because they have paid for a branch near my house, Facebook does not - but another way to look at it is that many of the costs due to errors have been shifted to the user.
I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life.
> People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely
But how often does one need to do recovery procedures like this?
How much less convenient is it for everyone else to be at risk of their account being taken over?
Then you get trusted parties selling account access. Even if you remove them for a single false positive they will do it. A bit like a % packages "vanishing".
> Then you get trusted parties selling account access
How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much.
It's worse than "forgetting." Having seen older folks just set up new accounts for a move, they make zero attempt to even try to keep them! Oh, the phone company needs a login/pass? Just type in anything, don't write it down. If something goes wrong, they're going to call in anyway, not use the website.
I had to go through the account recovery on my Facebook account once and the proof they demanded was that I match a bunch of pictures of friends to their names. I think it took 3 tries over multiple days to actually get it unlocked because it turns out I such really remember a lot of the people I met 20 years ago and friended on Facebook.
I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?
I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic.
I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.
> recovery can be performed by providing a government credential remotely
That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.
That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.
It's a hard problem. How do you prove you own an account if you lost all proof of ownership? Especially so if an account was never tied to your real name, in which case you could at least rely on government ids.
the alternative is people losing their accounts and people aren't willing to allow that. i do think that apple does this a little better where they try everything to contact you in every way they know and it takes a week to get access. at a minimum to change your email it should require a week of waiting to see if the user can access the original mail to the hand off.
This is not wrong but what’s really missing is cost: Meta did this so they can avoid paying people to do it. Lots of companies follow that decay spiral: your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.
Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check?
> your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t.
Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do.
Its perfectly acceptable for a security model to make things difficult for extreme edge cases like the pope. After all if the situation warrants it such rare events can always be escalated.
for a while facebook had the ability to recover your account by having them ask several of your friends if the recovery was legitimate but it was turned off. my guess is that not enough people added trusted contacts to bother running it.
https://www.theverge.com/2013/5/2/4292744/facebook-trusted-c...
I actually quite like this solution. Beats asking users to add a "recovery selfie" (something Meta actually does now) - I'd rather choose 3 of my friends and have them approve some notification in-app. Seems like better UX and preserves privacy a slight bit more, but we all know Meta's not in the privacy business.
The amount of hassle involved with regular physical checks is why it's not implemented, regardless of attack prevention.
The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely.
To be clear, I was thinking cost as more than just payroll - e.g. my bank can do this because they have paid for a branch near my house, Facebook does not - but another way to look at it is that many of the costs due to errors have been shifted to the user.
I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life.
> People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely
But how often does one need to do recovery procedures like this?
How much less convenient is it for everyone else to be at risk of their account being taken over?
Then you get trusted parties selling account access. Even if you remove them for a single false positive they will do it. A bit like a % packages "vanishing".
The least terrible seem digital id.
> Then you get trusted parties selling account access
How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much.
It's a tough problem, because people forget passwords, change phones, lose access to 2FA devices, but still need to use their accounts.
It's worse than "forgetting." Having seen older folks just set up new accounts for a move, they make zero attempt to even try to keep them! Oh, the phone company needs a login/pass? Just type in anything, don't write it down. If something goes wrong, they're going to call in anyway, not use the website.
I had to go through the account recovery on my Facebook account once and the proof they demanded was that I match a bunch of pictures of friends to their names. I think it took 3 tries over multiple days to actually get it unlocked because it turns out I such really remember a lot of the people I met 20 years ago and friended on Facebook.
I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership?
I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic.
https://pages.nist.gov/800-63-4/
I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices.
> recovery can be performed by providing a government credential remotely
That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything.
That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course.
1 reply →
I’d wager your range of tech literacy/capabilities for your firm is much narrower than big tech.
4 replies →
It's a hard problem. How do you prove you own an account if you lost all proof of ownership? Especially so if an account was never tied to your real name, in which case you could at least rely on government ids.
Simple, you don't. This is all going to seem quaint in a few years when old accounts started getting deleted for inactivity.
fair enough, but what's the actual point of 2FA if it's so easy to override?
the alternative is people losing their accounts and people aren't willing to allow that. i do think that apple does this a little better where they try everything to contact you in every way they know and it takes a week to get access. at a minimum to change your email it should require a week of waiting to see if the user can access the original mail to the hand off.
In some cases, checkbox-compliance with customer requirements.
It depends. Some like AWS take it deadly seriously and it takes a long time to recover root access to an account.